Former Secretary of the U.S. Department of Homeland Security Michael Chertoff will be speaking at the 2018 Cyber Risk Forum on April 16, 2018 in San Francisco. Hosted alongside RSA® Conference, Corporate Board Member and Chief Executive are presenting the 3rd annual Cyber Risk Forum to provide CEOs and board members with the opportunity to explore emerging trends, prevalent threats and strategic opportunities surrounding cybersecurity. Click here to register.
In part 2 of our 2-part interview, Corporate Board Member caught up with Chertoff to talk about what boards are missing with regard to cybersecurity. Click here for part 1.
Q: In your experience, what do boards and CEOs not get about cybersecurity? What’s the big gap in understanding?
A: The costly and dynamic nature of cybersecurity threats makes them a top risk for many businesses; board directors and management, however, often struggle with understanding and responding to the scope of this rapidly changing risk. For most boards, cybersecurity is far from a core competency. Many C-suite executives and board directors, are not well-versed in security measures and would be unable to effectively guard against and mitigate an attack. This lack of fluency can contribute to indecision or avoidance when dealing with cybersecurity, and in the worst cases, a resigned acceptance that attacks are unavoidable.
The following guidelines can help strengthen businesses’ security programs by identifying core cybersecurity competencies and delegating each to the appropriate level of management. Consider including these cybersecurity fundamentals in your advisory arsenal.
“boards and other key players are responsible for anticipating future threats and assessing the company’s ability to guard against potential attacks.”
Risk Management
Management-led; overseen and directed by boards:
- Governance: This critical component identifies the parameters necessary for companies to remain secure and compliant. Governance parameters should be clear, consistent, measurable, well-prioritized and aim to guard what the company identifies as its most sensitive assets. Management should define parameters to be reviewed and approved by the board.
- Measurement: Managers should clearly define a successful risk-management model to establish consistent security priorities and goals, and periodically ensure company alignment with this model. Performance results should be shared appropriately among key stakeholders, management, and the board.
- Response: The board is responsible for ensuring that management is capable of successfully carrying out proposed security plans and should recommend any adjustments necessary to make plans executable.
Join us in San Francisco on April 16 for the Cyber Risk Forum. Keynotes include Michael Chertoff, former Secretary of Homeland Security, and Rob Joyce, White House Cybersecurity Coordinator. Space is limited to 50 CEOs and Board Members. Register today!
Creating a Security-Conscious Organization
Board-led:
- Culture: A security-driven culture is critical to enforcing cybersecurity over time. Boards should ensure that CEOs are exemplifying and encouraging this culture; company leaders should set a precedent that permeates throughout the organization. Further, boards should clarify and promote the incentives of cybersecurity compliance, including growing top-line revenue, lowering operations costs, improving quality of service, entering new markets, and recruiting and retaining high-performing employees.
- People: The CEO and technical staff play vital cybersecurity roles; boards should feel confident in their abilities to implement and uphold the company’s cybersecurity values. Incentive, training and professional development programs should be strong enough to retain valuable employees. Boards should periodically evaluate these employees and incentive programs, making necessary changes to support the company’s security goals.
Anticipating Change
Shared responsibility between management and board.
- Policy: Cybersecurity is a critical concern driving major regulatory and legislative shifts in the U.S. and worldwide. Management, boards, and companies as a whole should continuously track and prepare for upcoming policy changes. A business caught unaware of new regulations can incur considerable costs. The European Union’s General Data Protection Regulations (GDPR), for example, will become enforceable in May 2018 and will alter compliance costs and require new data security measures.
- Foresight: The best security programs anticipate and plan for potential incidents. Understanding likely threats, as well as recognizing vulnerabilities and unknown factors, is critical to developing an effective cybersecurity plan. Management, boards and other key players are responsible for anticipating future threats and assessing the company’s ability to guard against potential attacks. When appropriate, trusted third parties can be a helpful tool to assess, audit and provide an outside view of a company’s cybersecurity efforts.